A new ransomware strain named Fog recently targeted a financial institution in Asia. What makes this attack different is the way the attackers used a mix of open-source hacking tools and legitimate software to carry out their plan. This helped them stay unnoticed and cause serious damage.
The attackers managed to get into the system using compromised VPN credentials. Once inside, they used techniques like pass-the-hash, disabled Windows Defender, and encrypted files, including entire virtual machines.
Instead of using complex custom malware, they relied on publicly available tools and normal business applications. For example, they used Syteca, a real employee-monitoring software, to record keystrokes and screenshots. They also used Stowaway, an open-source proxy tool, to move Syteca through the network while avoiding detection.
To spread across systems and gain more control, the attackers used tools like SMBExec and PsExec, which are part of a common penetration-testing kit. They also ran command-and-control operations using GC2 and Adapt2x, both of which are open-source and can be found online. For moving stolen data, they turned to familiar utilities like 7-Zip, MegaSync, and FreeFileSync.
This combination of tools helped the attackers blend into regular activity, making them much harder to detect. Security researchers pointed out that this kind of approach is very unusual for a ransomware operation. Normally, attackers rely more on custom code, but Fog proves that freely available tools can be just as dangerous in the wrong hands.
What’s more concerning is that the attackers stayed inside the network for nearly two weeks before they even began encrypting anything. Even after the ransomware was deployed, they left behind a separate tool, possibly to return later or continue spying on the organization. This indicates the attack wasn’t just about ransom, it may have involved long-term surveillance or data theft.
Since first appearing in April 2024, Fog ransomware has evolved quickly. It started out targeting schools in the United States but is now attacking financial services, manufacturing companies, and even government systems. Security experts believe Fog may not be a single group, but rather a ransomware tool being used by multiple criminal gangs. This makes it even harder to track or predict.
So, how can companies protect themselves? The first step is to enforce multi-factor authentication (MFA), especially on VPNs and remote access tools. Organizations should also regularly monitor system logs and be alert for any unusual tools or behavior. Watching for tools like Stowaway, Syteca, and PsExec can help detect intrusions early. Keeping secure backups that are disconnected from the main network is another essential step in case of a ransomware attack.
In the end, the Fog ransomware case is a clear reminder that even everyday tools can become dangerous in the hands of attackers. Businesses must stay one step ahead by tightening security, improving detection, and preparing for more creative cyber threats like this one.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
